Vault or Credentials

A credential is a saved User ID and optional password/domain association that your Vendors can reuse with many Applications.

Adding credentials enables you to store and authenticate a valid username and password credentials to RDP, SSH, and Telnet services for an Application.

When your Vendor accesses your Application and selects the service, the User ID and password you provide will be passed through to the RDP, SSH, or Telnet log in window. If the credentials are accepted, your Vendor will be forwarded directly to the desktop to perform their work.

From the Vault or Credentials menu, you can add credentials, create credential categories, add credential pools, manage SSH Keys, and manage HTTP Credential Mappings.

IMPORTANT:
From Version 25.1 on, the platform manages this features in the Vault menu, using Secrets. Some features in this section may only be available in previous versions of VPAM, as the Credentials menu.
The new User Interface, using the Vault, also enables you to create Tasks for the Password Rotation Feature.

Add a Secret or a Credential

To add a secret, click Add New Secret in the Vault page. Select the type of secret you want to add:

  • Password Credential: A User ID/Password association

  • SSH Key Credential: A User ID/SHH Key association.

Complete the selected option's form and Save the changes.

Using this method in the Vault also enables you to create Tasks for the Password Rotation Feature.

To add new credentials:

  1. Select Add New Credential from the Credentials section.

  2. Enter information in the following fields:

    Field Description
    Credential Name (required) Enter a unique name for this credential.
    Description An optional description field.
    User ID (required)

    Enter the User ID to be stored.
    SSH Authentication Option

    Select the type of credential association:

    • Password: Provide a password for the user

    • SSH Key Pair: Provide the Key Pair name

    Password / Confirm Password

    For Password selection in SSH Authentication Option

    		 If desired, enter a password to associate to the referenced User ID.

    HTTP Credential Mapping

    For Password selection in SSH Authentication Option

    		 Required for HTTP Credential Mapping services configured in your Applications.

    SSH Key Pair Name

    For SSH Key Pair selection in SSH Authentication Option

    		 Provide the SSH Key Pair Name.
    Domain Enter the domain (if any) that is associated with the referenced User ID.

  3. After you add one or more credentials, you can edit application services to take advantage of the new credentials.

To view a Secret or a Credential, click the name of the Secret or Credential you want to view.

The View Secret or View Credential page enables you to edit or delete the credential.

From the View Secret or View Credential page, click Edit. System admins can edit all the fields in the Credential registry.

From the Edit Secret or Edit Credential page, click Delete.

Credential Pools

A credential pool is a group of credentials based upon port type (Ex/ RDP, SSH, Telnet). Adding credentials enables you to store and authenticate valid username and password credentials to credential-enabled services for an Application. Credentials cannot be shared across multiple pools.

When you access an Application's service, the User ID and Password provided by the stored credential will be automatically passed to the associated Client and you will be automatically logged in.

Credential Pools, once defined, are instanced per Host Name. This means that it is possible for the Credential Pool to hand out the same credential more than once; however, because the hostname is different that's okay because it's presumed to be a different system. In the case of a hostname being defined twice — once as a string (host.domain.tld) and once as an ip address (192.168.1.1) — Imprivata Vendor Privileged Access Management will consider this as two separate hostnames and two separate pool instances.

The Credential Pools feature is not available yet for versions 25.1+.

To add new credential pools:

  1. Select Add Credential Pool from the Credentials menu.

  2. Enter information in the following fields:

    Field Description
    Name (required) Enter a unique name for this Credential Pool.
    Port Type (required) Select a Port Type for this Credential Pool.
    HTTP Credential Mappings

    Applies when HTTP or HTTPS are specified as the Port Type.

To add credentials to a credential pool:

  1. Click New Credential in the target Credential Pool.

  2. Click Add New Credential.

  3. Enter information in the following fields:

    Field Description
    Credential Name (required) Enter a unique name for this credential.
    Description An optional description field
    User ID (required) Enter the User ID to be stored
    Password / Confirm Password  
    Domain Enter the domain (if any) that is associated with the referenced User ID.

  4. Use the credential pool for your services.

SSH Key Pairs

SSH Credentials may use password or key based authentication. To use key based authentication, you must upload the credential to the Imprivata Vendor Privileged Access Management server as a Private Key / Public Key pair so that the server may present this on behalf of the connecting user.

  1. Navigate to System Administration > Credentials > New SSH Key Pair.

  2. Type a name for the SSH Key Pair.

  3. Type a meaningful description.

  4. Click Upload to upload a new SSH Key Pair.

  5. Click Choose File to select a file for the Private Key File.

  6. Click Choose File to select a file for the Public Key File.

  7. Click Save SSH Key Pair.

Once uploaded, the Key Pair can be linked to most Imprivata Vendor Privileged Access Management credential types (all but Credential Pools). A Key Pair may be linked to multiple credentials at the same time.

VPAM is compatible with RSA, DSA and ECDSA key formats. Generate a key from the command line:

Copy 
ssh-keygen -m PEM
NOTE:

Legacy OpenSSH versions do not support the -m PEM flag. For these versions, the flag is not required and the generated keys should work by default.

If you have an existing OpenSSH Key with the new format, you may need to convert to the -m PEM format. Here's an example command to do the conversion:

Copy 
ssh-keygen -p -f /path/user/.ssh/existing_keyfile -m PEM
NOTE:

The -p flag is used to remove the passphrase from the file.

SSH PAM Module

SSH PAM modules allow for an extra layer of security by prompting the connecting user to respond to a challenge via keyboard input. For example, Google Authenticator's verification codes.

SSH PAM modules are configured separately from normal sshd settings. The config files are typically in /etc/pam.d/sshd and /etc/ssh/sshd_config respectively.

For successful SSH service launches, the connecting host must have consistent authentication methods in the PAM and sshd configurations.

For example, password authentication must be enabled in sshd_conf if it is enabled in the sshd PAM settings and vice versa. Inconsistent authentication methods in sshd PAM and sshd_conf can prevent proper credential handling. The sshd server may prompt for a password despite the PAM settings refusing password authentication. Or, the PAM settings may require password authentication despite the sshd_conf not accepting them.

HTTP Credential Mapping

For information on this Credential option, read the HTTP Credential Mapping document.